summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--archetypes/profiles/desktop/default.nix1
-rw-r--r--nixos/polkit.nix22
-rw-r--r--nixos/resources/polkit-1/rules.d/0-wheel-no-pass.rules5
-rw-r--r--nixos/resources/polkit-1/rules.d/10-reboot-poweroff-users.rules13
4 files changed, 34 insertions, 7 deletions
diff --git a/archetypes/profiles/desktop/default.nix b/archetypes/profiles/desktop/default.nix
index 8156953..0e68b84 100644
--- a/archetypes/profiles/desktop/default.nix
+++ b/archetypes/profiles/desktop/default.nix
@@ -22,6 +22,7 @@
_polkit = {
enable = mkDesktop true;
gnome.enable = mkDesktop true;
+ allowUserPowerControls = mkDesktop true;
};
};
diff --git a/nixos/polkit.nix b/nixos/polkit.nix
index d2ed5dc..875b50a 100644
--- a/nixos/polkit.nix
+++ b/nixos/polkit.nix
@@ -24,6 +24,8 @@ in {
enable = lib.mkEnableOption "enables polkit_gnome authentication agent";
package = lib.mkPackageOption pkgs "polkit_gnome" { };
};
+ allowUserPowerControls = lib.mkEnableOption "allow users to control the power state of the machine using poweroff/reboot commands";
+ wheelNoPass = lib.mkEnableOption "allow users in wheel group to execute all commands without password";
};
config = lib.mkIf cfg.enable {
@@ -31,12 +33,18 @@ in {
environment.systemPackages = lib.mkIf cfg.gnome.enable [ pkgs.polkit_gnome polkit_gnome-autostart ];
- #security.polkit.extraConfig = ''
- # polkit.addRule(function(action, subject) {
- # if (subject.isInGroup("wheel")) {
- # return polkit.Result.YES;
- # }
- # });
- #'';
+ # Optional rules
+ environment.etc = let
+ pkRulesD = "polkit-1/rules.d";
+ in {
+ "${pkRulesD}/10-reboot-poweroff-users.rules" = {
+ enable = cfg.allowUserPowerControls;
+ source = ./resources/polkit-1/rules.d/10-reboot-poweroff-users.rules;
+ };
+ "${pkRulesD}/0-wheel-no-pass.rules" = {
+ enable = cfg.wheelNoPass;
+ source = ./resources/polkit-1/rules.d/0-wheel-no-pass.rules;
+ };
+ };
};
}
diff --git a/nixos/resources/polkit-1/rules.d/0-wheel-no-pass.rules b/nixos/resources/polkit-1/rules.d/0-wheel-no-pass.rules
new file mode 100644
index 0000000..93abf0d
--- /dev/null
+++ b/nixos/resources/polkit-1/rules.d/0-wheel-no-pass.rules
@@ -0,0 +1,5 @@
+polkit.addRule(function(action, subject) {
+ if (subject.isInGroup("wheel")) {
+ return polkit.Result.YES;
+ }
+});
diff --git a/nixos/resources/polkit-1/rules.d/10-reboot-poweroff-users.rules b/nixos/resources/polkit-1/rules.d/10-reboot-poweroff-users.rules
new file mode 100644
index 0000000..6b1cffb
--- /dev/null
+++ b/nixos/resources/polkit-1/rules.d/10-reboot-poweroff-users.rules
@@ -0,0 +1,13 @@
+polkit.addRule(function (action, subject) {
+ if (
+ subject.isInGroup("users") &&
+ [
+ "org.freedesktop.login1.reboot",
+ "org.freedesktop.login1.reboot-multiple-sessions",
+ "org.freedesktop.login1.power-off",
+ "org.freedesktop.login1.power-off-multiple-sessions",
+ ].indexOf(action.id) !== -1
+ ) {
+ return polkit.Result.YES;
+ }
+});
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-17 13:57:00 +0000